high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Protection available since | 20 February 2005 17:52:28 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
More Information
W32/Inforyou-A is an email worm for the Windows platform.
W32/Inforyou-A will arrive as an email that will invite the recipient to look at an attachment. The attachment will be a password-protected ZIP file, with the password given in the body of the email. The theme of the email will be one of the following:
"Fraudulent activity was detected by security" and an account was frozen.
"Interesting" information has been uncovered about "budget usage."
A "new version of credit" software has been released.
The attachment relates to material of "a naked kind."
The attachment relates to "art" which the sender has found on a computer.
The ZIP file will contain a file with a random name and an extension of SRC, PIF or EXE.
The account institutions mentioned include the following:
1st Choice Bank, Amarillo National Bank, Bank of America, Bank of Boston,
Bergen Commercial Bank, California Federal Bank, Citizens Trust Bank, Dollar
Bank, eBay, First American National Bank, First Bank of Texas, Great Falls
Bank, HSBC Bank, Humboldt Bank, Intrust Bank, Kansas State Bank, KeyBank,
Landmark Bank, Lloyds Bank, Mainland Bank, National Westminster Bank, PayPal,
PNC Bank, Premier Bank, RCB Bank, Republic Bank, Riggs Bank, River City Bank,
Schwertner State Bank, State Bank and Trust, State Central Bank, Texas
National Bank, U.S. Bancorp, U.S. Bank, West Coast Bank, Wilber National Bank,
Wilson Bank
The names used in the email are taken from the infected user's computer or from a pre-defined list. The "from" email address will be faked.
When first run, W32/Inforyou-A will copy itself to the Windows system folder with a random name and an EXE extension. The worm will then drop a DLL with a random name into the Windows system folder. This DLL is also detected as W32/Inforyou-A.
In order to run automatically each time Windows runs, W32/Inforyou-A will set the following registry entries:
HKCR\CLSID\(3845CD5A-6FA0-3E0C-3980-000CD8DE3A31)\InProcServer32
(default)
&t;path to worm DLL>
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ ShellServiceObjectDelayLoad
.Net Framework
(3845CD5A-6FA0-3E0C-3980-000CD8DE3A31)
W32/Inforyou-A will search the hard-drive for email addresses to send itself to. W32/Inforyou-A can harvest email addresses from the following types of files: ASC, ASP, CGI, EML, HTM, JS, NWS, PH, PL, SHTM, TXT, VB, VCF, WAB.
W32/Inforyou-A will attempt to stop the following services:
Detector de OfficeScanNT
McAfee Framework Service
Norton Antivirus Service
Panda Antivirus
sharedaccess
ZoneAlarm
W32/Inforyou-A may attempt to download and run an executable file.
|
